Describe the bug
A heap buffer overflow with get_next_packet() in the 4.3.3 version of tcpreplay.
=================================================================
==122745==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d000000880 at pc 0x7f13ee199983 bp 0x7ffca329ebe0 sp 0x7ffca329e390
READ of size 131190 at 0x61d000000880 thread T0
#0 0x7f13ee199982 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806
#1 0x55e38ac7f758 in get_next_packet /tcpreplay-4.3.3/src/send_packets.c:1060
#2 0x55e38ac7a545 in preload_pcap_file /home//tcpreplay-4.3.3/src/send_packets.c:442
#3 0x55e38ac82007 in main /tcpreplay-4.3.3/src/tcpreplay.c:126
#4 0x7f13edf74d09 in __libc_start_main ../csu/libc-start.c:308
#5 0x55e38ac769d9 in _start (/tcpreplay-4.3.3/src/tcpreplay+0x129d9)
0x61d000000880 is located 0 bytes to the right of 2048-byte region [0x61d000000080,0x61d000000880)
allocated by thread T0 here:
#0 0x7f13ee209e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7f13ee13a485 (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x27485)
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806 in __interceptor_memcpy
Shadow bytes around the buggy address:
0x0c3a7fff80c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fff8110:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==122745==ABORTING
To Reproduce
Steps to reproduce the behavior:
download tcpreplay-4.3.3.tar.gz
apt-get -y install libpcap-dev
cd tcpreplay-4.3.3 && ./congfigure && make && make install
Expected Behavior:
Replay the packet and return the results of the packet replay.
System (please complete the following information):
OS: x86_64 GNU/Linux(Debian)
OS version: rodete 20210414.00.06RD and Ubuntu 20.04
Tcpreplay Version : 4.3.3
sudo src/tcpreplay -V
tcpreplay version: 4.3.3 (build git:v4.3.3)
Copyright 2013-2018 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta
Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net>
The entire Tcpreplay Suite is licensed under the GPLv3
Cache file supported: 04
Not compiled with libdnet.
Compiled against libpcap: 1.10.0
64 bit packet counters: enabled
Verbose printing via tcpdump: enabled
Packet editing: disabled
Fragroute engine: disabled
Injection method: PF_PACKET send()
Not compiled with netmap
fklassen
commented
3 years ago
Describe the bug A heap buffer overflow with get_next_packet() in the 4.3.3 version of tcpreplay.
To Reproduce Steps to reproduce the behavior:
Expected Behavior: Replay the packet and return the results of the packet replay.
System (please complete the following information):
Additional context None
Payload : id:000000,sig:11,src:000000,time:311422,op:flip1,pos:74.zip